School officials share latest on PowerSchool breach

Canton Public School administrators are still assessing the impact of a data breach reported recently by its student information system (SIS) provider, PowerSchool, a leading K-12 software firm that serves thousands of school districts across the country, including several in Massachusetts.

The company reportedly became aware of the breach on December 28, when they learned of unauthorized access to one of its customer support portals, PowerSource. Using compromised credentials, the hackers were able to log into the system and steal large amounts of SIS data pertaining to students on teachers.

On January 7, PowerSchool notified school districts about the breach, and Canton school officials immediately sent out a letter to families sharing what they knew at the time. The following day, CPS administrators shared additional details after taking part in a webinar hosted by the company’s senior executives.

During the webinar, PowerSchool confirmed that student and staff data from all of its SIS school districts — nearly 18,000 in all, including Canton — were accessed as part of this targeted attack.

For Canton students, the extracted data primarily includes directory and demographic information such as names, addresses, phone numbers, school-issued email addresses, student IDs, bus stops, state reporting fields, alerts, and other student-specific demographic information. For Canton staff, the data primarily includes their names, addresses, email addresses, phone numbers, and other demographic information.

School officials noted that highly sensitive data such as Social Security numbers, PowerSchool account access information, financial information, and evaluation records are not stored in Canton’s PowerSchool SIS.

According to PowerSchool executives, the company became aware of the breach when the hackers reached out and demanded payment, and they subsequently paid an undisclosed amount of money in exchange for video evidence that the data was deleted.

“We do not anticipate the data being shared or made public, and we believe it has been deleted without any further replication or dissemination,” PowerSchool officials said in a statement issued last week.

The company has notified the relevant law enforcement agencies and is working with CrowdStrike, a private cybersecurity firm, to uncover who was behind the breach.

PowerSchool is expected to release the full report from CrowdStrike by the end of this week and is conducting ongoing webinars and providing guidance to districts on next steps.

PowerSchool also informed school officials that all affected passwords have been reset and access controls have been enhanced.

A major player in the SIS market since the early 2000s, PowerSchool only recently became the provider of choice for Canton when the district overhauled its outdated SIS program in 2023-24. CPS offered extensive trainings on the new system throughout the last school year before officially going live across the district on July 1.

Josh Fogel, CPS director of technology and data analytics, is encouraging all CPS families and staff to remain vigilant against phishing attempts or suspicious communications, and to change passwords as a precaution. Fogel said the district has also created a Google form where families and staff can submit questions.

Fogel said CPS leaders will be closely following updates from PowerSchool and will continue to share new information as it becomes available via the district website at cantonma.org.

Short URL: https://www.thecantoncitizen.com/?p=130959

Posted by Mike Berger on Jan 17 2025. Filed under News, Schools. Both comments and pings are currently closed.